you can now add a config= line to pkcs11.txt (assuming you are using sql databases), which will force NSS to restrict the application to certain cryptographic algorithms and protocols. A complete list can be found in NSS Config Options.

New Functions

in pk11pub.h

PK11_SignWithMechanism - This function is an extended version PK11_Sign().

PK11_VerifyWithMechanism - This function is an extended version of PK11_Verify().

These functions take an explicit mechanism and parameters as arguments rather than inferring it from the key type using PK11_MapSignKeyType(). The mechanism type CKM_RSA_PKCS_PSS is now supported for RSA in addition to CKM_RSA_PKCS. The CK_RSA_PKCS_PSS mechanism takes a parameter of type CK_RSA_PKCS_PSS_PARAMS.

Bugs fixed in NSS 3.22

Compatibility

NSS 3.22 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.22 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.